Heat System Called Door to Target for Hackers

SAN FRANCISCO — Investigators say they believe they have identified the entry point through which hackers got into Target’s systems, zeroing in on the remote access granted through the retailer’s computerized heating and cooling software, according to two people briefed on the inquiry.

The latest revelation highlights the reality that a large company is actually a sprawling network of interconnected vendors, and that weak security at any one vendor can lead to a breach that costs hundreds of millions of dollars.

Target, Neiman Marcus and the Michaels chain of arts and crafts stores are among the major retailers whose systems have been hacked with what investigators suspect is similar malware that invades the computerized register system and snatches consumer data, according to people with knowledge of the investigations. But it has not been disclosed whether other companies were possibly invaded through outside vendors with remotely controlled access.

Target had already confirmed that hackers used a vendor’s stolen credentials to get inside its corporate network and crawl into a server containing 70 million customers’ names, mailing addresses and email addresses and into the company’s crown jewels: the in-store cash register systems that authorized 40 million customer’s credit and debit cards over the course of a few weeks during the holiday shopping season last year.

Using the vendor’s access, hackers were able to burrow into Target’s systems so thoroughly that even three days after Target thought it had expelled them, the retailer found malware on 25 registers, John J. Mulligan, Target’s chief financial officer, testified at a Senate hearing on Tuesday.

Molly Snyder, a Target spokeswoman, said the company would not comment on its vendors or specific details of the investigation.

Brian Krebs, a security blogger who first reported the Target breach, was also the first on Wednesday to identify the vendor whose remote access had been compromised. But investigators would not confirm the vendor’s identity. Security experts say that it is common for heating, ventilation and air-conditioning companies — so-called HVAC companies — to be granted network access to clients so that they can monitor retail stores and diagnose problems remotely.

“Remote access to these systems is really common and integrators are almost always on the corporate network,” said Billy Rios, director of threat intelligence at Qualys, a cloud security firm. Mr. Rios said that the security at such companies tended to be poor and that vendors often used the same password across multiple customers.

Over the last two years, Mr. Rios and Terry McCorkle, also of Qualys, said that they found 55,000 HVAC systems connected to the Internet. In most cases, they said, the systems contained basic security flaws that would allow hackers a way into companies’ corporate networks, or the companies installing and monitoring these systems reused the same remote access passwords across multiple clients.

The payment card industry’s data security requirements dictate how employees, administrators and vendors can remotely connect to systems. They require that merchants like Target employ two-factor authentication — which adds a second, temporary password during the login process — for employees, administrators and vendors trying to gain entry to their systems remotely.

Security specialists confirmed Wednesday that Target’s heating, ventilation and air-conditioning systems were connected to the Internet. But Target would not say whether its vendors were required to use two-factor authentication or to use virtual private network, or VPN, technology, which creates a private tunnel between employees and vendors working remotely and the company’s private corporate network. The company has said, however, that it passed a security audit before its breach last November.